RE: Potential Security Flaw in Struts MVC

["Jon.Ridgway" <Jo...@upco.co.uk>]

Hi Kumera,

If you want to check at the form level, have you considered using a custom
tag, such as the app:checkLogon tag used in the example app provided with
struts. It's perhaps not the best way as others have pointed out on this
list, but it seems to fit your requirements.

Jon.

-----Original Message-----
From: Jim Richards [mailto:grumpy@cyber4.org] 
Sent: 31 May 2001 09:21
To: struts-user@jakarta.apache.org
Subject: Re: Potential Security Flaw in Struts MVC

At 11:53 PM 30/05/01 -0700, you wrote:
>A good way of removing the bucketloads :-} from your Action classes is to
>subclass ActionServlet and implement processActionPerform to do the logon
>check.

It's not just for login though, that was the example I used, every action
that
generates a form needs to do this. Mostly it is checking against URL
hacking.



--
Kumera - a new Open Source Content Management System
for small to medium web sites written in Perl and using XML
http://www.cyber4.org/kumera/index.html